How to spot a phishing email

Phishing and spoof emails aim to obtain your secure information, passwords, or account numbers. These emails use deceptive means to try and trick you, like forging the sender’s address. Often, they ask for the reader to reply, call a phone number, or click on a weblink to steal personal information.

1. The email has improper spelling or grammar
This is one of the most common signs that an email isn’t legitimate. Sometimes, the mistake is easy to spot, such as ‘Dear eBay Costumer’ instead of ‘Dear eBay Customer.’

Others might be more difficult to spot, so make sure to look at the email in closer detail. For example, the subject line or the email itself might say “Health coverage for the unemployeed.” The word unemployed isn’t exactly difficult to spell. And any legitimate organizations would have editors who review their marketing emails carefully before sending it out. So when in doubt, check the email closely for misspellings and improper grammar.

Most English-language phishing expeditions are sent from countries where English is not the primary language. Attackers often give themselves away by imprecise use of English, even with quite common phrases, and including spelling errors. So read the message carefully.

Although a phishing attack may appear plausible at first glance, there are some tell-tale signs that should make you very cautious about clicking on any links or giving any personal information to the supposed sender.

2. The hyperlinked URL is different from the one shown
The hypertext link in a phishing email may include, say, the name of a legitimate bank. But when you hover the mouse over the link (without clicking it), you may discover in a small pop-up window that the actual URL differs from the one displayed and doesn’t contain the bank’s name.

(You should be aware that not all email software would show the actual URL in a pop-up window, however). Similarly, you can hover your mouse over the address in the ‘from’ field to see if the website domain matches that of the organization the email is supposed to have been sent from.

3. Content of the email In almost all countries, banks and other financial bodies will not email you to tell you about problems with your account. They recognise that email is fundamentally insecure and that personal information should not be sent by email. So, even the method of communication will give you a clue about whether it’s genuine. The email may give a false sense of urgency, claiming that your account is at risk if you do not act quickly. This is not the case.

4. Poor quality images Sometimes, the images used in the emails are fuzzy, or your information may appear as an image rather than type. These images have been copied from screens and would not be used by original companies. It is easy to obtain images every bit as good as the originals though, so a high quality image should not persuade you the message is genuine.

5. The email urges you to take immediate action
Often, a phishing email tries to trick you into clicking a link by claiming that your account has been closed or put on hold, or that there’s been fraudulent activity requiring your immediate attention. Of course, it’s possible you may receive a legitimate message informing you to take action on your account. To be safe, though, don’t click the link in the email, no matter how authentic it appears to be. Instead, log into the account in question directly by visiting the appropriate website, then check your account status.

6. The email says you’ve won a contest you haven’t entered
A common phishing scam is to send an email informing recipients they’ve won a lottery or some other prize. All they have to do is click the link and enter their personal information online. Chances are, if you’ve never bought a lottery ticket or entered to win a prize, the email is a scam.

7. Who is it to? Many, but not all phishing attacks do not use your name in the introduction – preferring ‘Dear valued customer,’ or ‘Dear user,’. This is because they cannot personalise the emails sufficiently. Your bank or online store can do this and should address you as ‘Dear Bob,’ or ‘Dear Mrs Jones,’ (or whatever your name is).

8. The email asks you to make a donation
As unbelievable as it may seem, scam artists often send out phishing emails inviting recipients to donate to a worthy cause after a natural or other tragedy. For example, after Hurricane Katrina, the American Red Cross reported more than 15 fraudulent websites were designed to look like legitimate Red Cross appeals for relief efforts. Potential victims received phishing emails asking them to donate to the Red Cross, with links to malicious sites that stole their credit card numbers. If you’d like to make a donation to a charity, do so by visiting their website directly.

9. The email includes suspicious attachments
It would be highly unusual for a legitimate organization to send you an email with an attachment, unless it’s a document you’ve requested. As always, if you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware.

Test your phishing IQ
PayPal has a ‘Can You Spot Phishing?’ online quiz to test how savvy you are about scam emails. How well did you do?